Vault PKI Platform - Issues

Lessons Learned

Category Lesson

Category	Lesson
SSH CA Principals	`valid_principals` MUST be specified on every signing request. `default_principals` is silently ignored.
File → Raft Migration	Use `vault operator migrate` with proper cluster_addr before starting HA.
Certificate TTLs	8-hour SSH certs force regular renewal (security) while 365-day 802.1X certs reduce endpoint churn.
Unseal Keys	Store unseal keys in separate locations (gopass, physical backup). Auto-unseal planned for future.
TLS Bootstrap	First node needs self-signed cert, then issue proper cert after PKI is running.

SSH CA Principals

valid_principals MUST be specified on every signing request. default_principals is silently ignored.

File → Raft Migration

Use vault operator migrate with proper cluster_addr before starting HA.

Certificate TTLs

8-hour SSH certs force regular renewal (security) while 365-day 802.1X certs reduce endpoint churn.

Unseal Keys

Store unseal keys in separate locations (gopass, physical backup). Auto-unseal planned for future.

TLS Bootstrap

First node needs self-signed cert, then issue proper cert after PKI is running.

Item Status

Item	Status
HA Cluster	Operational (3 nodes)
PKI	Root CA (20-year), Intermediate CA (10-year)
SSH CA	Active, `vault-ssh-sign` script deployed
KV Store	In use for dsec/gopass integration
Monitoring	Wazuh audit events configured

HA Cluster

Operational (3 nodes)

PKI

Root CA (20-year), Intermediate CA (10-year)

SSH CA

Active, vault-ssh-sign script deployed

KV Store

In use for dsec/gopass integration

Monitoring

Wazuh audit events configured